Re: [PATCH] wget 1.19.5: latest patches (01-03)

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5372 bytes --]

Hi,

On 09.05.2018 13:14, Michael Tremer wrote:
> Hi,
> 
> are any of these security-relevant?

I'm not sure - I read this discussion on bug-wget(a)gnu.org:

***SNIP***
On 05/08/2018 09:16 AM, Josef Moellers wrote:
> > Hi,
> >
> > While trying to upgrade to 1.19.5, we found a bug in wget
> > (src/host.c)
> > where the (non-existing) return value of a void function is assigned
> > to
> > a variable.
> >
> > A patch is appended.

Thanks,

setting timer to NULL is not needed here.

I'll amended and pushed the patch.

With Best Regards, Tim
***SNAP***

Being curious, I looked at http://git.savannah.gnu.org/cgit/wget.git,
found the two other patches and thought they could be of help.

Unfortunately, I can'T judge what effects these bugs have or why they
where added. By now, they're undocumented.

Best,
Matthias

> Best,
> -Michael
> 
> On Tue, 2018-05-08 at 20:05 +0200, Matthias Fischer wrote:
>> For details see:
>> http://git.savannah.gnu.org/cgit/wget.git
>> 
>> Best,
>> Matthias
>> 
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>>  lfs/wget                                      |  4 +++
>>  ...1-src_hosts_c_remove_void_assignment.patch | 13 +++++++++
>>  .../02-src_version_h_add_header_guard.patch   | 20 +++++++++++++
>>  .../wget/03-src_hsts_h_fix_header_guard.patch | 29 +++++++++++++++++++
>>  4 files changed, 66 insertions(+)
>>  create mode 100644 src/patches/wget/01-
>> src_hosts_c_remove_void_assignment.patch
>>  create mode 100644 src/patches/wget/02-src_version_h_add_header_guard.patch
>>  create mode 100644 src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> 
>> diff --git a/lfs/wget b/lfs/wget
>> index 39f59ba80..f753bef1a 100644
>> --- a/lfs/wget
>> +++ b/lfs/wget
>> @@ -71,6 +71,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>>  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>>  
>> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/01-
>> src_hosts_c_remove_void_assignment.patch
>> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/02-
>> src_version_h_add_header_guard.patch
>> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/wget/03-
>> src_hsts_h_fix_header_guard.patch
>> +
>>  	cd $(DIR_APP) && ./configure \
>>  		--prefix=/usr \
>>  		--sysconfdir=/etc \
>> diff --git a/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> new file mode 100644
>> index 000000000..ba488571c
>> --- /dev/null
>> +++ b/src/patches/wget/01-src_hosts_c_remove_void_assignment.patch
>> @@ -0,0 +1,13 @@
>> +diff --git a/src/host.c b/src/host.c
>> +index 4597f46..b42cd6e 100644
>> +--- a/src/host.c
>> ++++ b/src/host.c
>> +@@ -732,7 +732,7 @@ wait_ares (ares_channel channel)
>> +         ares_process (channel, &read_fds, &write_fds);
>> +     }
>> +   if (timer)
>> +-    timer = ptimer_destroy (timer);
>> ++    ptimer_destroy (timer);
>> + }
>> + 
>> + static void
>> diff --git a/src/patches/wget/02-src_version_h_add_header_guard.patch
>> b/src/patches/wget/02-src_version_h_add_header_guard.patch
>> new file mode 100644
>> index 000000000..5fd75b975
>> --- /dev/null
>> +++ b/src/patches/wget/02-src_version_h_add_header_guard.patch
>> @@ -0,0 +1,20 @@
>> +diff --git a/src/version.h b/src/version.h
>> +index aeae086..ee40bb1 100644
>> +--- a/src/version.h
>> ++++ b/src/version.h
>> +@@ -27,6 +27,9 @@ Corresponding Source for a non-source form of such a
>> combination
>> + shall include the source code for the parts of OpenSSL used as well
>> + as that of the covered work.  */
>> + 
>> ++#ifndef WGET_VERSION_H
>> ++#define WGET_VERSION_H
>> ++
>> + /* Extern declarations for strings in version.c */
>> + extern const char *version_string;
>> + extern const char *compilation_string;
>> +@@ -34,3 +37,5 @@ extern const char *link_string;
>> + 
>> + /* Extern declaration for string in build_info.c */
>> + extern const char *compiled_features[];
>> ++
>> ++#endif /* WGET_VERSION_H */
>> diff --git a/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> new file mode 100644
>> index 000000000..786d28851
>> --- /dev/null
>> +++ b/src/patches/wget/03-src_hsts_h_fix_header_guard.patch
>> @@ -0,0 +1,29 @@
>> +diff --git a/src/hsts.h b/src/hsts.h
>> +index 257f0b0..0065d9f 100644
>> +--- a/src/hsts.h
>> ++++ b/src/hsts.h
>> +@@ -26,13 +26,13 @@ grants you additional permission to convey the resulting
>> work.
>> + Corresponding Source for a non-source form of such a combination
>> + shall include the source code for the parts of OpenSSL used as well
>> + as that of the covered work.  */
>> +-#include "wget.h"
>> + 
>> +-#ifdef HAVE_HSTS
>> ++#ifndef WGET_HSTS_H
>> ++#define WGET_HSTS_H
>> + 
>> +-#ifndef HSTS_H
>> +-#define HSTS_H
>> ++#ifdef HAVE_HSTS
>> + 
>> ++#include "wget.h"
>> + #include "url.h"
>> + 
>> + typedef struct hsts_store *hsts_store_t;
>> +@@ -48,5 +48,5 @@ bool hsts_store_entry (hsts_store_t,
>> +                        time_t, bool);
>> + bool hsts_match (hsts_store_t, struct url *);
>> + 
>> +-#endif /* HSTS_H */
>> + #endif /* HAVE_HSTS */
>> ++#endif /* WGET_HSTS_H */
>